Willie Sutton was a bank robber in the early 1900s, and a quite successful one at that. Over a long and less-than-illustrious-but-more-than-successful career, he amassed over US$2 million. Even without considering inflation, that’s a serious chunk of change. When an interviewer asked him why he robbed banks, he’s reported to have replied, “Because that’s where the money is.”
Though times have changed, the goals and motivations of criminals have not. In the digital realm, cyber attackers target assets that can be easily monetized. The Verizon Data Breach Investigations Report (DBIR) for 2019 states that 71% of breaches are financially motivated. When organizations look to secure assets that may be targeted for financial gain, the focus is often on systems that store financial data or information that can be sold for profit, such as Personally Identifiable Information (PII) or Intellectual Property (IP). However, one angle often overlooked is the people who have access to sensitive data and/or the authority to make financial decisions. And who has more access to systems and data than an executive?
Cyber attackers are not ignorant of this oversight. In fact, there’s a specific term for an attack that targets senior executives – whaling. The term whale comes from the gambling industry. In casinos, “whales” are gamblers willing to bet in excess of $1 million over a single weekend. Casinos will spend a significant amount of time and money to attract and entertain whales in the hope of payouts much larger than their costs. Similarly, a cyber attacker will invest significant resources to target the whales of the corporate world, the senior executives.
Here are two attack scenarios targeting executives:
- A CEO is sent an email (by an attacker posing as a major customer) asking for sensitive information about a product. This information, which only a few senior executives have access to in the organization, is shared by the CEO and then sold to a competing organization. Now, the actual customer would have been bound by a Non-Disclosure Agreement (NDA) prohibiting information-sharing. In other words, an actual customer can be taken to court for leaking sensitive information that they are privy to, but that isn’t the case for an unknown attacker.
- A CFO is sent an email with a link to a phishing website that harvests his or her credentials. If these credentials are the same used for the email account, the attacker can now read and send emails at will. After reviewing past communications, the attacker sends an email to the company’s Accounts Payable department instructing a payment to be made to a vendor, but to a new account. The finance personnel don’t want to question the boss, and hence, wire the payment to the fraudulent account. This is pretty much what happened at toy maker Mattel in 2016.
Executives are targeted not only for the access and authority they have, but also because, in many cases, they are not the most well-informed on matters related to cybersecurity. This can be attributed to both their busy schedules and, in some cases, being less tech-savvy. It’s important that executives are informed about the current threat environment (e.g., whaling, business email compromise) and trained on securing their online personas 24/7, at work and beyond. After all, as cyber attackers know only too well, “that’s where the money is.” After spending 17 years helping secure information technologies, I have often found myself learning from young grads fresh out of college. This is a testimony to the evolving nature of cybersecurity and the need for continual education.
Security awareness tips for executives and their security teams
Below are just a few security pointers executives should be aware of. Remember, higher-ups in the C-suite are likely to be targeted specifically for authority and privileged access. The idea is to prevent social engineering or other tactics that would offer an attacker access to their credentials.
Executives
- Use different credentials for work and personal use; enable multi-factor authentication (MFA) whenever possible.
- Do not share credentials, other than with an individual like your executive assistant officially tasked with operating your accounts on your behalf.
- Do not use personal devices to access official resources.
- Be especially careful about cybersecurity threats while traveling; airports, cafes and hotels are hotspots for compromises.
- Do not use public USB charging points.
- Do not use public Wi-Fi unless absolutely required; it’s safer to use your phone as a hotspot.
- Do not leave your laptop unattended in your hotel room.
- When in doubt, ask. This includes asking the security team about a suspicious email or the accounting department about an unexpected payment request.
Security teams
- Do not give executives a free pass during training sessions and phishing simulations.
- Deliver targeted training to executives and their assistants covering plausible scenarios like business email compromise (BEC), pretexting, juice jacking, etc.
- Ensure executive laptops are appropriately secured while traveling, especially to high-risk geographies.
- Establish mechanisms for expedited response to executives’ security concerns .
Conclusion
While conducting Cyber Security Reviews (CSRs) for clients, I often find many do not provide specific executive-focused training. While most have general security awareness programs in place and some impart role-based training for developers and incident responders, few have training specifically for executives. Even if phishing simulations are being conducted, executives are often given a pass when they click on phishing links but not asked to undergo additional training. In such a scenario, not only are executives not provided targeted training, even existing training mechanisms are not being used properly. Considering the breach history that demonstrates that executives are specifically targeted, this is a concerning gap that organizations need to address proactively.